As the endless litany of breaches, claims and counterclaims continue to feature in the media, we have to ask ourselves why taking cyber risk seriously is so difficult for organisations, whether in the public or private sectors.
Cyber security is not a new problem. Since the internet was created, with its emphasis on resilience and ensuring data remained shareable across networks, there has always been a tension between “need-to-know” and “need to share”. Organisations need to make their services accessible to their consumers, their systems accessible to users. But over the last 25 years, the battle to protect the privacy of the consumer and the security of institutions is becoming increasingly bitter, difficult, and expensive.
An unanswered question remains why breaches continue to occur. Given the amount of media coverage, the importance government ascribes to the protection of infrastructure and government systems, the sophistication of toolsets available to protect systems, and the amount of money spent on IT each year, one would have thought that the ramparts are high enough and deep enough to deter all but the most skilled hacker.
Yet here we are. Breaches continue apace, despite governments issuing ever more compendious guidance, and continuous tightening of regulations across areas of critical national infrastructure.
Is the weakness in the supply-side or on the demand side? Are buyers failing to ask for the right solutions or features? Or are suppliers overly confident in the ability of their solutions, or screwed down by competitive pressure to reduce the costs – and security – of their solutions to a level the customer is prepared to afford? Or is it an unhealthy combination of the two?
What do we know? We can never avoid a breach 100%. Such a system does not and will never exist. Users are human, fallible, make mistakes and can be induced into behaving in ways inimical to security. And if someone in the ring of trust betrays that trust, it is hard to stop the damage.
A cyber warrior said to me once “you can change systems, but you can’t change people”. And we know from our experience that people do what they can to make their lives easier, sharing passwords, leaving systems open, using workarounds to get what they need from systems that were not designed with them in mind.
In a global economy characterised by rising costs, increasing competition, supply-side constraints and falling output, the pressure on businesses to reduce cost and focus on shareholder returns is immense. But on cyber security the normal cost benefit analysis tools do not work. It is hard to articulate the benefits of a decent cyber approach when the outcome is a business that is able to continue trading in an environment that is increasingly hostile. We have yet to develop the lexicon that allows boards to understand why they need continually to invest in their people and processes (as well as their technology).
Good cyber security is not just about technology. We see too many companies investing heavily in technologies without concomitant investments in people, governance and leadership. These ‘softer’ investments are more difficult to make as they involve time and bodies, both of which are in short supply. Training people not to do risky things on your systems will save you more than all the firewalls you can put together.
As long as there are people using systems whether internally, as customers, or as citizens, systems and their data will be at risk. And until organisations recognise that their biggest vulnerability rests with their people and their users, investments will continue to feel expensive and be resented as costs on business rather than essential protections to enable the business to thrive. But although you can’t change people, you can train them and make it easier for them to do the right thing rather than to attempt to work around security features that make systems counter-intuitive or processes clunky. And you need to do both to be secure.
It’s hard to make systems both secure and user friendly. It is harder and more expensive to add security as an afterthought. If you bake the security requirement in at the start, you are more likely to get a secure system that users will accept.
Addressing cyber security risks is a long-term, organisation-wide, societal problem. To look at it as simply a technological issue is insufficient. So when your CIO comes to the board looking for more technology, make sure they have addressed the people and security issues as well. This may cost you more up front, but will save you bigger bucks in the long term.